{ "id": "6834dcac-5f6e-444b-8fc6-a5eb51a02a22", "created_at": "2026-04-06T00:14:28.139277Z", "updated_at": "2026-04-10T13:11:43.431085Z", "deleted_at": null, "sha1_hash": "1732adc3e58e264d6f10b8d80a222c6b56c15ca9", "title": "To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1107771, "plain_text": "To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for\r\nPersistence\r\nBy Mandiant\r\nPublished: 2017-05-03 · Archived: 2026-04-05 14:12:23 UTC\r\nWritten by: Matthew McWhirt, Jon Erickson, DJ Palombo\r\nIn 2017, Mandiant responded to multiple incidents we attribute to FIN7, a financially motivated threat group\r\nassociated with malicious operations dating back to 2015. Throughout the various environments, FIN7 leveraged\r\nthe CARBANAK backdoor, which this group has used in previous operations.\r\nA unique aspect of the incidents was how the group installed the CARBANAK backdoor for persistent access.\r\nMandiant identified that the group leveraged an application shim database to achieve persistence on systems in\r\nmultiple environments. The shim injected a malicious in-memory patch into the Services Control Manager\r\n(“services.exe”) process, and then spawned a CARBANAK backdoor process.\r\nMandiant identified that FIN7 also used this technique to install a payment card harvesting utility for persistent\r\naccess. This was a departure from FIN7’s previous approach of installing a malicious Windows service for process\r\ninjection and persistent access.\r\nApplication Compatibility Shims Background\r\nAccording to Microsoft, an application compatibility shim is a small library that transparently intercepts an API\r\n(via hooking), changes the parameters passed, handles the operation itself, or redirects the operation elsewhere,\r\nsuch as additional code stored on a system. Today, shims are mainly used for compatibility purposes for legacy\r\napplications. While shims serve a legitimate purpose, they can also be used in a malicious manner. Mandiant\r\nconsultants previously discussed shim databases at both BruCon and BlackHat.\r\nShim Database Registration\r\nThere are multiple ways to register a shim database on a system. One technique is to use the built-in “sdbinst.exe”\r\ncommand line tool. Figure 1 displays the two registry keys created when a shim is registered with the\r\n“sdbinst.exe” utility.\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\r\nPage 1 of 6\n\nFigure 1: Shim database registry keys\r\nOnce a shim database has been registered on a system, the shim database file (“.sdb” file extension) will be copied\r\nto the “C:\\Windows\\AppPatch\\Custom” directory for 32-bit shims or “C:\\Windows\\AppPatch\\Custom\\Custom64”\r\ndirectory for 64-bit shims.\r\nMalicious Shim Database Installation\r\nTo install and register the malicious shim database on a system, FIN7 used a custom Base64 encoded PowerShell\r\nscript, which ran the “sdbinst.exe” utility to register a custom shim database file containing a patch onto a system.\r\nFigure 2 provides a decoded excerpt from a recovered FIN7 PowerShell script showing the parameters for this\r\ncommand.\r\nFigure 2: Excerpt from a FIN7 PowerShell script to install a custom shim\r\nFIN7 used various naming conventions for the shim database files that were installed and registered on systems\r\nwith the “sdbinst.exe” utility. A common observance was the creation of a shim database file with a “.tmp” file\r\nextension (Figure 3).\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\r\nPage 2 of 6\n\nFigure 3: Malicious shim database example\r\nUpon registering the custom shim database on a system, a file named with a random GUID and an “.sdb”\r\nextension was written to the 64-bit shim database default directory, as shown in Figure 4. The registered shim\r\ndatabase file had the same MD5 hash as the file that was initially created in the “C:\\Windows\\Temp” directory.\r\nFigure 4: Shim database after registration\r\nIn addition, specific registry keys were created that correlated to the shim database registration. Figure 5 shows\r\nthe keys and values related to this shim installation.\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\r\nPage 3 of 6\n\nFigure 5: Shim database registry keys\r\nThe database description used for the shim database registration, “Microsoft KB2832077” was interesting because\r\nthis KB number was not a published Microsoft Knowledge Base patch. This description (shown in Figure 6)\r\nappeared in the listing of installed programs within the Windows Control Panel on the compromised system.\r\nFigure 6: Shim database as an installed application\r\nMalicious Shim Database Details\r\nDuring the investigations, Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and\r\n64-bit versions of “services.exe” with their CARBANAK payload. This occurred when the “services.exe” process\r\nexecuted at startup. The shim database file contained shellcode for a first stage loader that obtained an additional\r\nshellcode payload stored in a registry key. The second stage shellcode launched the CARBANAK DLL (stored in\r\na registry key), which spawned an instance of Service Host (“svchost.exe”) and injected itself into that process.\r\nFigure 7 shows a parsed shim database file that was leveraged by FIN7.\r\nFigure 7: Parsed shim database file\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\r\nPage 4 of 6\n\nFor the first stage loader, the patch overwrote the “ScRegisterTCPEndpoint” function at relative virtual address\r\n(RVA) “0x0001407c” within the services.exe process with the malicious shellcode from the shim database file.\r\nThe new “ScRegisterTCPEndpoint” function (shellcode) contained a reference to the path of\r\n“\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\DRM”, which is a registry location where additional malicious\r\nshellcode and the CARBANAK DLL payload was stored on the system.\r\nFigure 8 provides an excerpt of the parsed patch structure within the recovered shim database file.\r\nFigure 8: Parsed patch structure from the shim database file\r\nThe shellcode stored within the registry path “HKLM\\SOFTWARE\\Microsoft\\DRM” used the API function\r\n“RtlDecompressBuffer” to decompress the payload. It then slept for four minutes before calling the CARBANAK\r\nDLL payload's entry point on the system. Once loaded in memory, it created a new process named “svchost.exe”\r\nthat contained the CARBANAK DLL.\r\nBringing it Together\r\nFigure 9 provides a high-level overview of a shim database being leveraged as a persistent mechanism for\r\nutilizing an in-memory patch, injecting shellcode into the 64-bit version of “services.exe”.\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\r\nPage 5 of 6\n\nFigure 9: Shim database code injection process\r\nDetection\r\nMandiant recommends the following to detect malicious application shimming in an environment:\r\n1. Monitor for new shim database files created in the default shim database directories of\r\n“C:\\Windows\\AppPatch\\Custom” and “C:\\Windows\\AppPatch\\Custom\\Custom64”\r\n2. Monitor for registry key creation and/or modification events for the keys of\r\n“HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom” and\r\n“HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB”\r\n3. Monitor process execution events and command line arguments for malicious use of the “sdbinst.exe”\r\nutility\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html" ], "report_names": [ "fin7-shim-databases-persistence.html" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434468, "ts_updated_at": 1775826703, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1732adc3e58e264d6f10b8d80a222c6b56c15ca9.pdf", "text": "https://archive.orkl.eu/1732adc3e58e264d6f10b8d80a222c6b56c15ca9.txt", "img": "https://archive.orkl.eu/1732adc3e58e264d6f10b8d80a222c6b56c15ca9.jpg" } }